January 23rd, 2008 by Dianne Lagrimas (Technical Communications)
A new worm detected as WORM_IRCBOT.SN is currently making its rounds via MSN Messenger. In some instances, it drops popular social networking sites’ names MySpace and Facebook as it spreads itself. It sends any of the following messages together with a link where the picture referred to in the messages can be “viewed” by its recipients:
- can i throw this picture of you and me on myspace?
- Wanna see my pictures before i send em to facebook?
- can I throw this picture of us on my facebook.. please?
- I think this picture is terrible. but my friends on myspace want to see it. please dont show noone.
- do I look dumb in this picture? I want to put it on myspace.
- do you think I look ugly in this pic? its one of my new ones too :(
- hey i found your picture on hotornot.com! I swear its you!
- OMG, i found ur pic on cuteornot.com! im not kidding either!!!
- jesus this person really looks like you!
- This picture isnt you… right? lol
This is only a partial list; it has a lot more lines that are mostly talking about photos. Another interesting thing about this worm, as observed by our senior analysts, is that the messages change according to the language of the affected operating system used. Based on the ploys used (using the MySpace and Facebook names and having references to country codes in its registry) as well as the varying languages by this localizing MSN worm, its authors are trying to capture a wide audience.
January 23rd, 2008 by Bernadette Irinco (Technical Communications)
No sooner had the world learned of the untimely death of Heath Ledger (Brokeback Mountain) than malware authors started using the late actor’s name as a social engineering ploy. Within hours of these reports, Research Project Manager Ivan Macalintal discovered a couple of malicious URLs that turn up when users key in the search terms “heath” and “ledger”:
This is very similar to the poisoned Google searches reported last Christmas. If a user clicks on any of the links, he is led to the following SEO (search engine optimization) keyword-riddled page:
However, the user doesn’t even get to see this, as this page automatically redirects to another site. This site requires the user to download a “new version of ActiveX Object.” As expected, this is just the beginning of a series of redirections that end in the download of different malicious files (like TROJ_RENOS.LZ in one infection chain, and WORM_NUCRP.GEN in another).
There seems to be a bigger story behind this particular attack. Upon deeper analysis, researchers find reason to believe that these malicious URLs are among those resulting from the suspected hacking of Web servers of a certain Czech hosting provider. Hacked sites residing in these servers carry a malicious JavaScript code (detected by Trend Micro as JS_DLOADER.DAT), which, when accessed, follow the same redirection algorithm as the Heath Ledger links above.
Piggybacking on newsworthy events is not new. A month ago, malware authors also jumped on the assassination of Pakistan Prime Minister Benazir Bhutto. In this case, malware authors simply used news of Ledger’s death to jumpstart massive redirections as they know many people are wont to do searches on this hot news item.
Trend Micro’s Web Threat Protection provides various defenses at different points of the infection story: our Web Filtering technology blocks access to malicious sites, and our scan engine detects the JavaScript launching the attack, and the files which this malware attempts to eventually download onto the affected system.
Communication with Czech CERT has already been initiated by our analysts to properly inform affected parties in this massive hacking incident.
Information and screenshots provided by Ivan Macalintal and Threat Response Engineer Maersk Menrige
Write-up updated by Ma. Christina Cruz
